01-10-2013 12:46 PM - edited 03-11-2019 05:45 PM
Equipment used:
VBrick Systems Inc., Model HPS 7102 HS-HD
Cisco ASA5520 Firewall
I have been trying to take a vBrick RTSP stream and stream it outside of our network:
Inside our network, If I were to open VLC, and go to “Media”, “Open Network Stream” and paste rtsp://123.123.157.10/vbStream1S1 the stream works, audio and video.
Outside our network nothing. I have opened ALL UDP and TCP ports to the vBrick 123.1123.157.10 on our firewall and tried from outside of our network:
access-list access-in extended permit tcp any host 123.123.157.10 range 1 65535
access-list access-in extended permit udp any host 123.123.157.10 range 1 65535
After adding this to the access list, the web gui http://123.123.157.10 (uses port 80) and ftp ftp://123.123.157.10 (uses port 21) is functional outside of our network...just not the rtsp stream which works fine internally.
Any ideas? Not sure what else to try. Any help will be appreciated!
Thanks.
01-10-2013 01:13 PM
Hi,
Do you have the follwing configuration on the ASA
policy-map global_policy
class inspection_default
inspect rtsp
Sometimes either missing or having a certain "inspect" might cause problems with connections. Most commonly I have faced this with "inspect esmtp" and things related to "inspect h323"
You could try either removing or adding the above inspect depending on what the current setting is.
If it has been enabled you could try to see what the following command output shows for you
show service-policy inspect rtsp
Have you tried viewing firewall logs through ASDM while trying these connections from outside?
But this is from me truely a long shot and a pure guess and I have no real information from previous expirience that could help.
- Jouni
01-11-2013 08:11 AM
Journi,
Thanks for your reply. Yes, I have tried removing and adding inspect rtsp to the policy-map below to see if that would change anything but it did not. I even removed all below that are being inspected briefly but still nothing.
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect icmp
I tried to show the service-policy as you stated above but I get this:
PC-23851-ASA5520# show service-policy inspect ?
dns Show statistics for inspect DNS policy
esmtp Show statistics for inspect ESMTP policy
ftp Show statistics for inspect FTP policy
gtp Show status/statistics of 'inspect gtp' policy
h323 Show statistics for inspect H323 function
http Show statistics for inspect HTTP policy
im Show statistics for inspect im policy
ipsec-pass-thru Show statistics for inspect IPSEC-PASS-THRU policy
radius-accounting Show information for inspect radius-accounting policy
sip Show statistics for inspect SIP policy
skinny Show statistics for inspect skinny policy
waas Show statistics for inspect waas policy
PC-23851-ASA5520# show service-policy inspect rtsp
^
ERROR: % Invalid input detected at '^' marker.
PC-23851-ASA5520#
I've asked multiple people about this but no one can seem to figure it out. All I want to do is take this stream (that streams fine inside the network) and be able to view it outside of the network. The only thing I can think of that would keep that from happening is something firewall related. Other services that the vbrick serves (ftp, http etc) work fine outside the network when those ports are opened (port 21 and 80) respectively. Is there anything else I need to look at? Anyones help would be greatly appreciated!
I also have ASDM loaded but not sure where to look within the program to monitor the rtsp traffic (if there is any).
Thanks again!
01-11-2013 08:54 AM
Hi,
I'm not sure on the reason it doesnt accept your command. Might be if you dont have "inspect rtsp" configured it wont show it at all. Or there is some software related thing.
If you want to monitor connections to the host on the LAN you use the ASDM in the following way
One alternative way is to capture traffic on the ASA direcly to see what is moving between the host on the outside and the host on the LAN
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide